IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: issues
Niels Möller writes:
[...]
> > (The usual 1024-bit Diffie-Hellman group gives security level similar
> > to a 80-bit block cipher. Here exponent must be more than
> > 160-bits---increasing it would not give any more security, but
> > decreasing it would indeed decrease security.)
>
> If these figures are right, then the conclusion must be that we should
> offer some bigger groups. Either by adding some
> diffie-hellam-group2-sha1 key exchange method, or making the
> group-exchange mechanism mandatory.
It is an easy matter to use the complexity estimates for GNFS to see
that (say) RSA of 1024-bits gives about 80-bits of security when
measured in elementary bit operations. There is a paper by Lenstra and
Verheul on this if you want to see some interesting
tabulations. Recall that complexity estimates for discrete log and
factorization are pretty much equal (except for some minor bias in the
favour of discrete logs).
IPsec's IKE groups could be directly taken by SSH2, but even they
don't get yet close the 256-bit limit (which requires the mentioned
13K-bit primes).
Best regards,
Mika Kojo
SSH Communications Security Corp
Home |
Main Index |
Thread Index |
Old Index